- terraform-state

  - add `sso_permissionset_names` for use of assume role by SSO roles

CHANGELOG.md

@@ -196,3 +196,7 @@
 * 1.16.6 -- 2023-01-03
   - iam-general-policies
     - add ipr_vpc_endpoints to enable S3 interface endpoints
+
+* 1.16.7 -- 2023-09-30
+  - terraform-state
+    - add `sso_permissionset_names` for use of assume role by SSO roles

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.16.6"
+  _module_version = "1.16.7"
 }

terraform-state/README.md

@@ -36,6 +36,7 @@ module "tfstate_full" {
   tfstate_bucket        = "inf-tfstate-123456789012"
   tfstate_bucket_prefix = "inf-tfstate"
   tfstate_key_suffix    = "terraform.tfstate"
+  ## sso_permissionset_names =  [ "inf-terraform" ]
 
   # this is generally not needed and not recommended
   component_tags        = {
@@ -46,6 +47,8 @@ module "tfstate_full" {
   }
 }
 ```
+## sso\_permissionset\_names
+This is a list of SSO Permission set names, which turn into a role name, for which to allow an assume role into the `inf-terraform` role.
 
 ## Requirements
 
@@ -94,18 +97,22 @@ No modules.
 | [aws_iam_policy_document.tfstate_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.tfstate_read](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.tfstate_write](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_kms_key.kms_dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_key) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_bucket_key_enabled"></a> [bucket\_key\_enabled](#input\_bucket\_key\_enabled) | Enable or disable the use of S3 Bucket Keys (see AWS documetnation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html). | `bool` | `false` | no |
 | <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms, ddb) | `map(map(string))` | <pre>{<br>  "ddb": {},<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
 | <a name="input_kms_tfstate_key"></a> [kms\_tfstate\_key](#input\_kms\_tfstate\_key) | Terraform remote state KMS key alias | `string` | `"k-kms-inf-tfstate"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name suffix to use for policies, roles and groups (default: inf-terraform) | `string` | `"inf-terraform"` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_sso_permissionset_names"></a> [sso\_permissionset\_names](#input\_sso\_permissionset\_names) | List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role | `list(string)` | <pre>[<br>  "inf-terraform"<br>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_tfstate_bucket"></a> [tfstate\_bucket](#input\_tfstate\_bucket) | Terraform remote state S3 bucket | `string` | `""` | no |
 | <a name="input_tfstate_bucket_prefix"></a> [tfstate\_bucket\_prefix](#input\_tfstate\_bucket\_prefix) | Terraform remote state S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-tfstate"` | no |

terraform-state/main.tf

@@ -37,6 +37,7 @@
 *   tfstate_bucket        = "inf-tfstate-123456789012"
 *   tfstate_bucket_prefix = "inf-tfstate"
 *   tfstate_key_suffix    = "terraform.tfstate"
+*   ## sso_permissionset_names =  [ "inf-terraform" ]
 *
 *   # this is generally not needed and not recommended
 *   component_tags        = {
@@ -47,6 +48,9 @@
 *   }
 * }
 * ```
+* ## sso_permissionset_names
+* This is a list of SSO Permission set names, which turn into a role name, for which to allow an assume role into the `inf-terraform` role.
+*
 */
 
 locals {
@@ -64,6 +68,10 @@ locals {
   }
 }
 
+# this pre-loads the key so that it is ready when the DDB table create happens
+data "aws_kms_key" "kms_dynamodb" {
+  key_id = "alias/aws/dynamodb"
+}
 
 #---
 # dynamodb table
@@ -146,6 +154,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "tfstate" {
       kms_master_key_id = aws_kms_key.tfstate_key.arn
       sse_algorithm     = "aws:kms"
     }
+    bucket_key_enabled = var.bucket_key_enabled
   }
 }
 

terraform-state/policy.tf

@@ -25,7 +25,7 @@ resource "aws_iam_policy" "tfstate_write" {
 }
 
 resource "aws_iam_policy" "allow_assume_role" {
-  name        = format("%v-%v", var.name, "allow-assume")
+  name        = format("%v%v-%v", lookup(local._prefixes, "policy", ""), var.name, "allow-assume")
   path        = "/"
   description = "Assume role for Terraform activity"
   policy      = data.aws_iam_policy_document.allow_assume_role.json

terraform-state/role.tf

@@ -3,9 +3,12 @@ locals {
   role_description            = format("Role to be assumed Terraform execution %v", var.name)
   role_managed_policies_names = ["AdministratorAccess"]
   role_managed_policies       = [for k, p in data.aws_iam_policy.role_managed_policies : p.arn]
+  sso_role_arn_formats = [
+    format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
+    format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
+  ]
 }
 
-
 data "aws_iam_policy" "role_managed_policies" {
   for_each = toset(local.role_managed_policies_names)
   name     = each.key
@@ -51,10 +54,22 @@ data "aws_iam_policy_document" "allow_sts" {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
     principals {
-      type = "AWS"
-      identifiers = [
-        format(local.iam_arn, "root"),
-      ]
+      type        = "AWS"
+      identifiers = [format(local.iam_arn, "root")]
+    }
+  }
+  statement {
+    sid     = "AllowSTSAssumeFromSSO"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = [format(local.iam_arn, "root")]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:PrincipalArn"
+      values   = flatten([for p in var.sso_permissionset_names : [for f in local.sso_role_arn_formats : format(f, p)]])
     }
   }
 }

terraform-state/variables.tf

@@ -54,3 +54,15 @@ variable "name" {
   type        = string
   default     = "inf-terraform"
 }
+
+variable "bucket_key_enabled" {
+  description = "Enable or disable the use of S3 Bucket Keys (see AWS documetnation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)."
+  type        = bool
+  default     = false
+}
+
+variable "sso_permissionset_names" {
+  description = "List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role"
+  type        = list(string)
+  default     = ["inf-terraform"]
+}